Lab Notes

Susan Bradley (the "SBS Diva") has another good point about Windows security. In this one she elucidates the difference between local (i.e., Built-in) administrators and domain administrators.

At the last company I worked, the standard policy was to give each user administrator access to their own machine, while reserving domain administrator access for sysadmins. If I were assembling a network today, the age of viruses and spyware, I don't think I would give users quite so much leeway. 99% of what most users do with their computers does not require administrator-level privileges, and having a user run with administrator-level privileges means that every application that user runs has administrator-level privileges. Since most applications don't (or at least, shouldn't) require such privileges, there's no reason to grant them.

Now, in the interests of disclosure, the Elektron configuratoin application requires administrator privileges in order to run. This doesn't really contradict what I've been saying, though: since your are using the application to administer your server, it's not unreasonable to expect it to require use by an administrator. In fact, you wouldn't want just any user to be able to change passwords or do other security-related damage.